b'   DEPARTMENT OF HOMELAND SECURITY\n\n   Of\xef\xac\x81ce of Inspector General\n\n\nEvaluation of DHS\xe2\x80\x99 Information Security Program\n               for Fiscal Year 2004\n\n\n\n\n          Of\xef\xac\x81ce of Information Technology\n\n\nOIG-04-41                September 2004\n\x0c\x0c                                                                      Of\xef\xac\x81ce of Inspector General\n\n                                                                      U.S. Department of Homeland Security\n                                                                      Washington, DC 20528\n\n\n\n\n                                              Preface\n\nThe Department of Homeland Security (DHS) Of\xef\xac\x81ce of Inspector General (OIG) was established\nby the Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector\nGeneral Act of 1978. This is one of a series of audit, inspection, investigative, and special reports\nprepared by the OIG as part of its DHS oversight responsibility to identify and prevent fraud,\nwaste, abuse, and mismanagement.\n\nThis report assesses the strengths and weaknesses of the program or operation under review. It\nis based on interviews with employees and of\xef\xac\x81cials of relevant agencies and institutions, direct\nobservations, and a review of applicable documents.\n\nThe recommendations herein have been developed to the best knowledge available to the OIG,\nand have been discussed in draft with those responsible for implementation. It is my hope that\nthis report will result in more effective, ef\xef\xac\x81cient, and economical operations. I express my\nappreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                              Clark Kent Ervin\n                                              Inspector General\n\x0c\x0c                                                                                                                              Contents\nIntroduction        .......................................................................................................................................2\n\n   Background .................................................................................................................................... 3\n\n   Results in Brief .............................................................................................................................. 4\n\n   Results of Independent Evaluation\xe2\x80\xa6 ............................................................................................ 8\n\nAppendices\n\n   Appendix A:                Purpose, Scope, and Methodology.................................................................. 19\n   Appendix B:                Management\xe2\x80\x99s Comments............................................................................... 21\n   Appendix C:                Digital Dashboard ........................................................................................... 22\n   Appendix D:                System Inventory and IT Security Performance ............................................. 23\n   Appendix E:                Identi\xef\xac\x81cation of Signi\xef\xac\x81cant De\xef\xac\x81ciencies ........................................................ 25\n   Appendix F:                OIG Assessment of the POA&M Process....................................................... 26\n   Appendix G:                OIG Assessment of the Certi\xef\xac\x81cation and Accreditation Process .................... 27\n   Appendix H:                Agencywide Security Con\xef\xac\x81guration Requirements........................................ 28\n   Appendix I:                Incident Detection and Handling Procedures ................................................. 29\n   Appendix J:                Major Contributors to This Report ................................................................. 30\n   Appendix K:                Report Distribution ......................................................................................... 31\n\nAbbreviations\n\n   ATO                        Authority to Operate\n   C&A                        Certi\xef\xac\x81cation and Accreditation\n   CBP                        United States Customs and Border Protection\n   CIO                        Chief Information Of\xef\xac\x81cer\n   CIP                        Critical Infrastructure Protection\n   CIS                        United States Citizenship and Immigration Services\n   CISO                       Chief Information Security Of\xef\xac\x81cer\n   COMSEC                     Communications Security\n   COOP                       Continuity of Operations Plan\n   CSIRC                      Computer Security Incident Response Center\n   DHS                        Department of Homeland Security\n   DISA                       Defense Information Systems Agency\n   E-authentication           Electronic Authentication\n   EP&R                       Emergency Preparedness and Response Directorate\n   FIPS                       Federal Information Processing Standard\n   FISMA                      Federal Information Security Management Act\n\n\n                      Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004                                                              Page 1\n\x0cContents\n\n   FY        Fiscal Year\n   IAIP      Information Analysis and Infrastructure Protection Directorate\n   IATO      Interim Authority to Operate\n   ICE       United States Immigration and Customs Enforcement\n   IRP       Information Requirements Plan\n   IS        Information System\n   ISSB      Information Systems Security Board\n   ISSM      Information Systems Security Manager\n   ISSO      Information Systems Security Of\xef\xac\x81cer\n   IT        Information Technology\n   MD        Management Directive\n   NIST      National Institute of Standards and Technology\n   NSA       National Security Agency\n   NSS       National Security Systems\n   OCIO      Of\xef\xac\x81ce of the Chief Information Of\xef\xac\x81cer\n   OE        Organizational Element\n   OIG       Of\xef\xac\x81ce of Inspector General\n   OMB       Of\xef\xac\x81ce of Management and Budget\n   PAR       Performance & Accountability Report\n   POA&M     Plan of Action and Milestones\n   Pub       Publication\n   S&T       Science and Technology Directorate\n   SP        Special Publication\n   TSA       Transportation Security Administration\n   US-CERT   United States Computer Emergency Readiness Team\n   USCG      United States Coast Guard\n   USSS      United States Secret Service\n\n\n\n\nPage 2                Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004\n\x0cOIG\nDepartment of Homeland Security\nOf\xef\xac\x81ce of Inspector General\n\n\n    Introduction\n                                  Due to the increasing threat to information systems and the highly networked\n                                  nature of the federal computing environment, the Congress, in conjunction\n                                  with the Of\xef\xac\x81ce of Management and Budget (OMB), requires an annual review\n                                  and reporting of agencies\xe2\x80\x99 compliance with the requirements under the Federal\n                                  Information Security Management Act (FISMA) of 2002.1 FISMA focuses on\n                                  the program management, implementation, and evaluation of the security of\n                                  unclassi\xef\xac\x81ed, classi\xef\xac\x81ed, and national security systems (NSS).2\n\n                                  To comply with OMB\xe2\x80\x99s FISMA reporting requirements, we conducted an\n                                  independent evaluation of the Department of Homeland Security\xe2\x80\x99s (DHS)\n                                  information security program and practices. As part of our review, we evaluated\n                                  DHS\xe2\x80\x99 established processes and the progress DHS has made in implementing\n                                  its agencywide information security program. In doing so, we speci\xef\xac\x81cally\n                                  assessed DHS\xe2\x80\x99 Plan of Action and Milestones (POA&M) and certi\xef\xac\x81cation\n                                  and accreditation (C&A) processes. We also focused on whether DHS\xe2\x80\x99 major\n                                  organizational components are aligning their information security program and\n                                  practices with DHS\xe2\x80\x99 agencywide information security program. Additionally,\n                                  we tested the effectiveness of information technology (IT) security controls for\n                                  a subset of DHS\xe2\x80\x99 information systems. We did not gather statistical data for\n                                  incident reporting and analysis or training as part of our evaluation.\n\n                                  We performed our work at both the program and the organizational component\n                                  levels. The following major organizational components were included in our\n\n\n    1\n     FISMA is included under Title III of the E-Government Act (Public Law 107-347).\n    2\n     The term \xe2\x80\x9cnational security system\xe2\x80\x9d means any information system, including any telecommunications system, used or operated by an\n    agency or by a contractor of an agency or other organization on behalf of an agency:\n        (i)        the function, operation, or use of which involves intelligence activities; involves cryptographic activities related to national\n                   security; involves command and control of military forces; involves equipment that is an integral part of a weapon or\n                   weapons system; or is critical to the direct ful\xef\xac\x81llment of military intelligence missions (excluding a system that is to be used\n                   for routine administrative and business applications, i.e., payroll, \xef\xac\x81nance, logistics, and personnel management applications),\n                   or\n        (ii)       is protected at all times by procedures established for information that have been speci\xef\xac\x81cally authorized under criteria\n                   established by an Executive Order or an Act of Congress to be kept classi\xef\xac\x81ed in the interest of national defense or foreign\n                   policy.\n\n\n                          Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004                                            Page 3\n\x0c                             review: United States Customs and Border Protection (CBP), Emergency\n                             Preparedness and Response Directorate (EP&R); Information Analysis and\n                             Infrastructure Protection Directorate (IAIP); United States Immigration and\n                             Customs Enforcement (ICE), Science and Technology Directorate (S&T);\n                             Transportation Security Administration (TSA), United States Citizenship and\n                             Immigration Services (CIS), United States Coast Guard (USCG); and United\n                             States Secret Service (USSS). We also included the Of\xef\xac\x81ce of Inspector General\n                             (OIG) in our evaluation. See Appendix A for a detailed discussion of our purpose,\n                             scope, and methodology.\n\n\nBackground\n                             The E-Government Act of 2002 (Public Law 107-347), signed into law by the\n                             President on December 17, 2002, recognized the importance of information\n                             security3 to the economic and national security interests of the United States.\n                             Title III of the E-Government Act, entitled FISMA, provides a comprehensive\n                             framework for ensuring the effectiveness of security controls over information\n                             resources that support federal operations and assets.\n\n                             FISMA requires each federal agency to develop, document, and implement an\n                             agencywide security program. The agency\xe2\x80\x99s security program should provide\n                             security for the information and the information systems that support the\n                             operations and assets of the agency, including those provided or managed by\n                             another agency, contractor, or other source. As speci\xef\xac\x81ed in FISMA, agency heads\n                             are charged with conducting an annual evaluation of information programs and\n                             systems under their purview, as well as assessments of related security policies\n                             and procedures. OIGs are to independently evaluate the effectiveness of an\n                             agency\xe2\x80\x99s information security program and practices on an annual basis.\n\n                             OMB issued memorandum M-04-25, FY 2004 Reporting Instructions for the\n                             Federal Information Security Management Act, on August 23, 2004. The\n                             memorandum provides updated instructions for agency and OIG reporting under\n                             FISMA. This annual evaluation summarizes the results of our review of DHS\xe2\x80\x99 IT\n                             security program and practices according to OMB\xe2\x80\x99s instructions.\n\n\n\n\n3\n Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption,\nmodi\xef\xac\x81cation, or destruction.\n\n\n\nPage 4                                   Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004\n\x0c                           In addition to our independent evaluation, we conducted reviews of DHS\xe2\x80\x99\n                           information systems and security program related areas throughout\n                           Fiscal Year (FY) 2004. This report summarizes the results of a limited number of\n                           systems evaluated during our on-going \xef\xac\x81nancial statement and classi\xef\xac\x81ed systems\n                           reviews. It also includes results from an on-going audit of remote access, and\n                           reports issued on wireless security,4 DHS\xe2\x80\x99 efforts to implement The National\n                           Strategy to Secure Cyberspace, 5 and DHS\xe2\x80\x99 IT management structure.6\n\nResults in Brief\n                           DHS has made signi\xef\xac\x81cant progress over the last year in developing, managing,\n                           and implementing its information security program at the departmental level.\n                           DHS\xe2\x80\x99 Information Security Program Strategic Plan7 provides the foundation for\n                           an agencywide, consolidated information security program. In this plan, DHS\xe2\x80\x99\n                           Chief Information Of\xef\xac\x81cer (CIO) and Chief Information Security Of\xef\xac\x81cer (CISO)\n                           identify eight distinct security program areas, as shown in Figure 1. These areas\n                           are essential to provide security services that protect the con\xef\xac\x81dentiality, integrity,\n                           and availability of information, and to assign accountability for the administration\n                           of DHS\xe2\x80\x99 networks and computing platforms. The strategic plan also describes the\n                           goals and objectives for establishing a dynamic information security organization\n                           over the next \xef\xac\x81ve years.\n\n                           DHS\xe2\x80\x99 CIO, who has oversight responsibilities for DHS\xe2\x80\x99 information security\n                           program, has delegated the CISO, as required under FISMA, the authority to\n                           establish information security policies and procedures throughout the department.\n                           Under this authority, the CISO developed the Information Security Program\n                           Management Plan,8 which is the CISO\xe2\x80\x99s blueprint for managing DHS\xe2\x80\x99 information\n                           security program. The CISO also developed and issued an Information\n                           Security Risk Management Plan,9 which documents DHS\xe2\x80\x99 plan for developing,\n                           implementing, and institutionalizing a risk management process in support of its\n                           information security program.\n\n                           The CISO updated the baseline IT security policies and procedures in\n                           Management Directive (MD) 4300; Sensitive Systems Policy Publication 4300A\n                           and its companion, the Sensitive Systems Handbook; and National Security\n\n4\n  Inadequate Security Controls Increase Risks to DHS\xe2\x80\x99 Wireless Networks, OIG-04-27, June 2004.\n5\n  Progress and Challenges in Securing the Nation\xe2\x80\x99s Cyberspace, OIG-04-29, July 2004.\n6\n  Improvements Needed to DHS\xe2\x80\x99 Information Technology Management Structure, OIG-04-30, July 2004.\n7\n  Final, version 1, dated April 4, 2004.\n8\n  Version 1.0, dated June 15, 2004.\n9\n  Version 1, dated June 9, 2004.\n\n                    Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004                  Page 5\n\x0c                                Systems Policy Publication 4300B and its companion, the National Security\n                                Systems Handbook.10 Additionally, DHS issued the ISSM Guide to the DHS\n                                Information Security Program (ISSM Guide),11 which outlines the speci\xef\xac\x81c\n                                responsibilities for the components\xe2\x80\x99 Information Systems Security Managers\n                                (ISSM) and Information Systems Security Of\xef\xac\x81cers (ISSO). The guidelines\n                                provide the ISSMs with the guidance and procedures needed to align their\n                                security programs with DHS\xe2\x80\x99 Information Security Program. Together, these\n                                policies and procedures, if fully implemented by the components, should provide\n                                DHS with an effective information security program that complies with FISMA\n                                requirements.\n\n                                           Figure 1: Information Security Program Areas\n\n\n\n\n                                Source: ISSM Guide\n\n10\n     The latest versions of 4300A, 4300B, and their corresponding handbooks, are dated July 26, 2004.\n11\n     Version 2.0, dated July 19, 2004.\n\n\nPage 6                                      Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004\n\x0c                             To manage the organizational components\xe2\x80\x99 compliance with FISMA metrics and\n                             the effectiveness of their component-level information security programs, the\n                             CISO has developed a \xe2\x80\x9cdigital dashboard,\xe2\x80\x9d which uses red, yellow, and green\n                             indicators to re\xef\xac\x82ect the status of each component\xe2\x80\x99s percentage of compliance.12\n                             The information used to develop the digital dashboard comes from DHS\xe2\x80\x99\n                             enterprise management tool, Trusted Agent FISMA. See Appendix C for the\n                             digital dashboard as of September 18, 2004.\n\n                             Even though DHS has made several improvements in its information security\n                             program, the organizational components have not yet fully aligned their respective\n                             security programs with DHS\xe2\x80\x99 overall policies, procedures, and practices. For\n                             example:\n\n                             \xe2\x80\xa2    DHS cannot effectively manage its information security program while\n                                  lacking an accurate and complete system inventory. DHS has begun an effort\n                                  with an outside contractor to identify and establish an agencywide system\n                                  inventory. With the exception of IAIP, most components have made attempts\n                                  to identify their inventory of programs and systems, including those that are\n                                  contractor owned or operated.\n                             \xe2\x80\xa2    Although de\xef\xac\x81ned a number of times, ISSMs for \xef\xac\x81ve of the nine components\n                                  (CBP, EP&R, IAIP, S&T, and USSS) contacted us for additional clari\xef\xac\x81cation\n                                  on the de\xef\xac\x81nition of programs and systems. This continued lack of\n                                  understanding by those responsible for identifying required program and\n                                  system information, has hindered DHS\xe2\x80\x99 ability to compile a comprehensive\n                                  system inventory.\n                             \xe2\x80\xa2    As reported in our FY 2003 security program evaluation, DHS\xe2\x80\x99 organizational\n                                  components are not ensuring that all IT security weaknesses are included\n                                  in POA&Ms. Therefore, DHS cannot effectively oversee and measure\n                                  component-level FISMA metrics.\n                             \xe2\x80\xa2    FISMA metrics data, captured within Trusted Agent FISMA, is not\n                                  comprehensively veri\xef\xac\x81ed. Until this veri\xef\xac\x81cation is accomplished, DHS cannot\n                                  rely totally on the information reported by the organizational components in\n                                  Trusted Agent FISMA, which impacts overall security program management.\n                             \xe2\x80\xa2    Most component-level policies and procedures are in draft, such as those for\n                                  C&A, and have not been formally approved or communicated to program\n                                  of\xef\xac\x81cials and members of the IT security organizations. For example, only\n\n12\n  These metrics include the percentage of systems and projects with adequate life cycle security requirements funding, systems accredited,\nsystems and applications for which an annual self-assessment has been completed, personnel (employees and contractors) with network\naccounts that completed security awareness, and IT security professionals trained.\n\n\n                      Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004                                        Page 7\n\x0c                                  three components (EP&R, ICE, and USCG) have updated their C&A policies\n                                  to ensure their compliance with MD 4300 and National Institute of Standards\n                                  and Technology (NIST) Special Publication (SP) 800-37.13\n\n                             While DHS has issued considerable guidance, we identi\xef\xac\x81ed areas where\n                             agencywide information security procedures require strengthening:\n                             (1) wireless technologies according to NIST SP 800-48; (2) protecting critical\n                             infrastructures from cyber vulnerabilities and threats; (3) remote access to DHS\xe2\x80\x99\n                             systems; (4) vulnerability scanning; (5) penetration testing; (6) incident detection,\n                             analysis, and reporting; (7) security con\xef\xac\x81guration polices and procedures; (8)\n                             specialized security training; and (9) IT security training costs.\n\n                             Additionally, although the DHS\xe2\x80\x99 CIO is charged with implementing DHS\xe2\x80\x99\n                             agencywide information security program, the CIO is not a member of the\n                             department\xe2\x80\x99s senior management team. Therefore, the CIO does not have\n                             the authority to strategically manage agencywide IT programs, systems, or\n                             investments. There is no formal reporting relationship between the DHS CIO and\n                             the component CIOs or between the CISO and the ISSMs. The lack of a formal\n                             reporting structure between the DHS CIO and CISO with the organizational\n                             components hinders agencywide support in implementing its information security\n                             program.14\n\n                             We made speci\xef\xac\x81c recommendations to assist DHS in the development and\n                             implementation of its information systems security program in our FY 2003\n                             report. While a few of these recommendations were implemented, such as the\n                             certi\xef\xac\x81cation of Trusted Agent FISMA and the reporting of DHS\xe2\x80\x99 information\n                             systems security program as a material weakness, recommendations related to\n                             the tracking and remediation of material weaknesses and completion of a system\n                             inventory remain open. We recommend that DHS continue to consider its\n                             information systems security program a signi\xef\xac\x81cant de\xef\xac\x81ciency for FY 2004.\n\n                             We obtained written comments on a draft of this report from DHS\xe2\x80\x99 CIO.\n                             DHS generally concurred with the report\xe2\x80\x99s recommendations and has already\n                             initiated several projects in the later part of FY 2004 that address some of the\n\n\n\n\n13\n   NIST SP 800-37, Guide for the Security Certi\xef\xac\x81cation and Accreditation of Federal Information Systems, dated\nMay 2004, provides guidelines for the C&A of information systems to help achieve more secure systems supporting executive agencies of\nthe federal government. Security certi\xef\xac\x81cation and accreditation are important activities that support a risk management process and are an\nintegral part of an agency\xe2\x80\x99s information security program.\n14\n   Improvements Needed to DHS\xe2\x80\x99 Information Technology Management Structure, OIG-04-30, July 2004.\n\n\nPage 8                                    Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004\n\x0c                             recommendations. These include a system inventory project that is working\n                             towards a comprehensive inventory of DHS\xe2\x80\x99 general support systems and\n                             major applications. Similarly, a project to review and verify FISMA metrics\n                             data captured within an automated system was recently initiated. These and\n                             other activities will continue to be implemented in FY 2005 to improve the\n                             communication between the CISO and DHS\xe2\x80\x99 components, and to increase the\n                             accountability of the components. See Appendix B for DHS\xe2\x80\x99 comments in their\n                             entirety.\n\nResults of Independent Evaluation\n                   System Inventory and IT Security Performance\n\n                             Progress\n\n                             \xe2\x80\xa2    DHS hired a contractor, who has developed a system inventory methodology.\n                                  Under the methodology, a consistent approach will be used to identify an\n                                  inventory of DHS\xe2\x80\x99 systems across the organizational components, including\n                                  contractor run systems. It will also help the department maintain an\n                                  agencywide inventory of systems, major applications, networks, and interfaces\n                                  that is consistent with its information systems security program. The OIG has\n                                  reviewed the methodology and provided a listing of the components\xe2\x80\x99 systems.\n                                  The contractor began interviews with the \xef\xac\x81rst of DHS\xe2\x80\x99 organizational\n                                  components, TSA, on September 9, 2004.\n                             \xe2\x80\xa2    The ISSM Guide documents DHS\xe2\x80\x99 policy for conducting annual\n                                  self-assessments for all programs and systems according to NIST\n                                  SP 800-26.15 It also adequately de\xef\xac\x81nes the requirements for POA&M\n                                  reporting, including the ISSMs\xe2\x80\x99 duties and responsibilities for developing and\n                                  managing the POA&M process at the organizational component level.\n                             \xe2\x80\xa2    DHS has adopted an enterprise management tool, Trusted Agent FISMA, to\n                                  collect and track data related to all FISMA metrics, including self-assessment\n                                  data. Trusted Agent FISMA also collects data on other FISMA metrics, such\n                                  as the number of systems with contingency plans, system contingency plans\n                                  tested, systems certi\xef\xac\x81ed and accredited, and employees that have received\n\n15\n   NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems, dated November 2001, provides guidance\nfor performing systems self-assessments for 17 different control areas, such as those pertaining to identi\xef\xac\x81cation and authentication and\ncontingency planning. In addition, the guide provides control objectives and techniques that can be measured for the control areas. Self-\nassessments provide a method for agency of\xef\xac\x81cials to determine the current status of their information security programs, and where\nnecessary, establish a target for improvement.\n\n\n\n\n                      Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004                                         Page 9\n\x0c                                   IT security awareness training. DHS has mandated that the organizational\n                                   components enter metrics data in Trusted Agent, and requires that the\n                                   information be updated every 30 days.\n                              \xe2\x80\xa2    DHS issued guidance, which references OMB M-04-04 and NIST\n                                   SP 800-63, for conducting electronic authentication (E-authentication) risk\n                                   assessments.16 Three organizational components (CBP, USCG, and USSS)\n                                   have begun E-authentication risk assessments.\n\n                              Issues to be Addressed\n\n                              \xe2\x80\xa2    DHS has not yet compiled a comprehensive inventory of its programs and\n                                   systems, nor identi\xef\xac\x81ed its major applications or nationally critical systems.\n                                   Without a complete and accurate inventory of its information systems, DHS\n                                   cannot manage effectively its information systems security program or test\n                                   and evaluate adequately the effectiveness of the information security controls\n                                   over its mission critical resources.\n                              \xe2\x80\xa2    In FY 2003, DHS hired a contractor to develop an inventory of DHS\xe2\x80\x99 major\n                                   applications and general information support systems from February to April\n                                   2003. At that time, the CIO believed that the contractor had identi\xef\xac\x81ed 90 to\n                                   95 percent of all information systems within DHS. In FY 2004, DHS hired\n                                   another contractor to identify its system inventory for FISMA purposes.\n                              \xe2\x80\xa2    DHS\xe2\x80\x99 policy and procedures do not provide organizational components with\n                                   guidance on conducting reviews of their contractor or other agency-provided\n                                   services. Further, there was little evidence that components are ensuring\n                                   that contractor or other agency provided services are secure and comply with\n                                   DHS\xe2\x80\x99 security program requirements.\n                              \xe2\x80\xa2    In an attempt to validate DHS\xe2\x80\x99 self-assessment process, we selected a\n                                   sample of NIST SP 800-26 evaluations completed by seven organizational\n                                   components (CBP, CIS, EP&R, ICE, S&T, USCG, and USSS). We then\n                                   independently scored each question and compared our results to the\n                                   components\xe2\x80\x99 completed questionnaires. In several instances, we noted that\n                                   we scored components either higher or lower for speci\xef\xac\x81c questions. We\n\n\n16\n  E-authentication is the process of establishing con\xef\xac\x81dence in user identities electronically presented to an information system.\nOMB-04-04, E-Authentication Guidance for Federal Agencies, provides agencies with the criteria for determining the level of E-\nauthentication assurance required for speci\xef\xac\x81c applications and transactions, based on the risks and their likelihood of occurrence for each\napplication and transaction. NIST SP 800-63, Electronic Authentication Guideline, dated June 2004, provides technical guidance that\nsupplements the OMB guidance, which de\xef\xac\x81nes four levels of authentication, Levels 1 to 4, in terms of the consequences of authentication\nerrors and the misuse of credentials.\n\n\n\nPage 10                                   Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004\n\x0c                                   also identi\xef\xac\x81ed that components did not properly de\xef\xac\x81ne security weaknesses.\n                                   Additionally, \xef\xac\x81ve components included in our review (CIS, EP&R, ICE, S&T,\n                                   and USCG) did not develop POA&Ms for all system weaknesses identi\xef\xac\x81ed\n                                   through their NIST SP 800-26 self-assessments.\n                              \xe2\x80\xa2    With the exception of USSS, the results of self-assessments are not veri\xef\xac\x81ed by\n                                   the organizational components\xe2\x80\x99 CIOs.\n\n                              See Attachment D for speci\xef\xac\x81c System Inventory and IT Security Performance\n                              data.\n\n                    Signi\xef\xac\x81cant De\xef\xac\x81ciencies17\n\n                              Progress\n\n                              \xe2\x80\xa2    DHS has developed a process to capture and report signi\xef\xac\x81cant de\xef\xac\x81ciencies in\n                                   POA&Ms at the department level and for each organizational component.\n                              \xe2\x80\xa2    DHS\xe2\x80\x99 ISSM Guide requires the CISO to prioritize IT security weaknesses.\n\n                              Issues to be Addressed\n\n                              \xe2\x80\xa2    DHS has not implemented fully a process for identifying, managing, or\n                                   verifying the accuracy of signi\xef\xac\x81cant de\xef\xac\x81ciencies reported. In addition,\n                                   known, signi\xef\xac\x81cant de\xef\xac\x81ciencies are not being prioritized for remediation.\n                              \xe2\x80\xa2    Two weaknesses are \xef\xac\x82agged as agencywide IT material weaknesses within\n                                   Trusted Agent FISMA. However, within Trusted Agent, we identi\xef\xac\x81ed\n                                   inconsistencies in reporting of material weaknesses. For example, the Of\xef\xac\x81ce\n                                   of the CIO\xe2\x80\x99s (OCIO) POA&M reports two material weaknesses, but the \xe2\x80\x9cFY\n                                   2004 Material Weaknesses by Organizational Elements\xe2\x80\x9d report shows only the\n                                   one signi\xef\xac\x81cant de\xef\xac\x81ciency reported in the Performance Accountability Report\n                                   (PAR) for FY 2003.\n                              \xe2\x80\xa2    DHS does not have a process to ensure that all material weaknesses reported\n                                   in the PAR and other sources (i.e., OIG audits, GAO audits, and NIST SP 800-\n                                   26 assessments) are identi\xef\xac\x81ed and documented in a POA&M for remediation.\n\n\n\n17\n  A signi\xef\xac\x81cant de\xef\xac\x81ciency is a weakness in an agency\xe2\x80\x99s overall information systems security program or management control structure, or\nwithin one or more information systems, that signi\xef\xac\x81cantly restricts the capability of the agency to carry out its mission or compromises the\nsecurity of information, information systems, personnel, or other resources, operations, or assets.\n\n\n\n                      Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004                                         Page 11\n\x0c                             \xe2\x80\xa2    Agencywide, material, IT security weaknesses have not been identi\xef\xac\x81ed as\n                                  signi\xef\xac\x81cant de\xef\xac\x81ciencies at the respective components.\n                             \xe2\x80\xa2    DHS\xe2\x80\x99 CIO does not have suf\xef\xac\x81cient staff to manage, verify and/or assess the\n                                  accuracy and consistency of signi\xef\xac\x81cant de\xef\xac\x81ciencies, evaluate and prioritize\n                                  signi\xef\xac\x81cant de\xef\xac\x81ciencies for remediation, or verify that the signi\xef\xac\x81cant\n                                  de\xef\xac\x81ciencies are linked to the budget and remediation process. 18\n\n                             See Appendix E for speci\xef\xac\x81c signi\xef\xac\x81cant de\xef\xac\x81ciencies identi\xef\xac\x81ed.\n\n                    OIG Assessment of the Plan of Action and Milestones Process\n\n                             Progress\n\n                             \xe2\x80\xa2    DHS has developed an adequate process for reporting and capturing known\n                                  security weaknesses in POA&Ms, as shown in Figure 2. DHS has also issued\n                                  high-level guidance on the POA&M process.\n                             \xe2\x80\xa2    DHS has adopted an enterprise management tool, Trusted Agent FISMA,\n                                  to collect and track data related to all POA&M activities, including self-\n                                  assessment data. Trusted Agent FISMA also collects data on other FISMA\n                                  metrics, such as the number of system contingency plans, system contingency\n                                  plans tested, systems certi\xef\xac\x81ed and accredited, and employees that have\n                                  received IT security awareness training.\n                             \xe2\x80\xa2    A FISMA Management and Reporting Working Group, established in\n                                  June 2004, meets monthly to foster a dialogue between the OCIO and the\n                                  organizational components, obtain the components input on ways to improve\n                                  the FISMA data collection effort, and address problems/issues that relate to\n                                  the use of Trusted Agent FISMA.\n                             \xe2\x80\xa2    ISSOs are responsible for entering all known security weaknesses identi\xef\xac\x81ed,\n                                  as well as updating the progress for mitigating each of the security\n                                  weaknesses, in Trusted Agent FISMA. ISSMs are responsible for reviewing\n                                  the organizational components\xe2\x80\x99 POA&M data for consistency and accuracy.\n\n                             Issues To Be Addressed\n\n                             \xe2\x80\xa2    DHS cannot rely on the accuracy and completeness of the data contained\n                                  in Trusted Agent FISMA. Speci\xef\xac\x81cally, the information entered by the\n\n\n18\n     Improvements Needed to DHS Information Technology Management Structure, OIG-04-30, July 2004.\n\n\n\nPage 12                                  Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004\n\x0c                                  organizational components is not comprehensively veri\xef\xac\x81ed; there is no audit\n                                  trail capability; and some of the \xef\xac\x81elds, such as the \xe2\x80\x9cScheduled Completion\n                                  Date\xe2\x80\x9d for POA&M milestones, can be arbitrarily revised by the organizational\n                                  components. In August 2004, a contractor was brought on-board to do a\n                                  complete review and analysis of DHS\xe2\x80\x99 POA&Ms.\n                             \xe2\x80\xa2    Seven of nine components (EP&R, IAIP, ICE, OIG, S&T, TSA, and USCG)\n                                  have not documented and implemented their POA&M process to ensure that\n                                  they contain all known security weaknesses, have been reviewed for accuracy\n                                  and completeness, have been prioritized, and are in compliance with all\n                                  applicable DHS policies.\n                             \xe2\x80\xa2    POA&M data in Trusted Agent FISMA is not current and is not updated\n                                  periodically.\n                             \xe2\x80\xa2    DHS\xe2\x80\x99 CISO does not have the authority to oversee and ensure that the\n                                  organizational components\xe2\x80\x99 implementation and management of the POA&M\n                                  process complies with DHS\xe2\x80\x99 agencywide security program policies and\n                                  procedures. Strong oversight is needed to ensure that DHS has an enterprise-\n                                  wide, repeatable, and robust POA&M process for meeting FISMA\xe2\x80\x99s security\n                                  requirements and to ensure accurate assessments of the aggregated security\n                                  postures of each organizational component.\n                             \xe2\x80\xa2    System-level POA&Ms are not linked to individual components\xe2\x80\x99 budget\n                                  submissions. The CISO does not enforce the requirement that components\n                                  are to prioritize security weaknesses and estimate the funding necessary to\n                                  mitigate the weaknesses identi\xef\xac\x81ed in their POA&M submissions via Trusted\n                                  Agent FISMA. Only one component (EP&R) had documentation that linked\n                                  its system-level POA&Ms to its budget submission.\n                             \xe2\x80\xa2    OIG \xef\xac\x81ndings have not been incorporated into the POA&M process.\n                             \xe2\x80\xa2    Only four components (CBP, ICE, USCG, and USSS) stated that their\n                                  program of\xef\xac\x81cials are involved in the POA&M process.\n                             \xe2\x80\xa2    Only three components (CBP, EP&R, and USCG) capture security weaknesses\n                                  from all sources, as required by OMB,19 in their POA&Ms.\n\n                             See Appendix F for the OIG Assessment of the POA&M Process.\n\n\n\n19\n  OMB\xe2\x80\x99s guidance requires agencies to capture all security weaknesses found during any review done by, for, or on behalf of the agency\nin its POA&Ms, including program reviews, OIG audits, GAO audits, \xef\xac\x81nancial system audits, and critical infrastructure vulnerability\nassessments.\n\n\n\n                     Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004                                      Page 13\n\x0c                                           Figure 2: DHS\xe2\x80\x99 POA&M Process\n\n\n\n\n          Source: ISSM Guide\n\n\n\n\nPage 14                  Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004\n\x0cOIG Assessment of the Certi\xef\xac\x81cation and Accreditation Process\n\n       Progress\n\n       \xe2\x80\xa2    Sensitive Systems Policy Publication 4300A speci\xef\xac\x81es that the organizational\n            components are to follow NIST SP 800-37 for all sensitive systems certi\xef\xac\x81ed\n            and accredited after May 2004. This process is documented in the ISSM\n            Guide, as shown in Figure 3.\n       \xe2\x80\xa2    In August 2004, DHS purchased a C&A tool. A decision on whether\n            components will be required to use the tool will be made after a piloting\n            phase. ICE is the primary component involved in the pilot effort.\n       \xe2\x80\xa2    Four components (CBP, EP&R, ICE, and USSS) have a documented process\n            for incorporating security costs into the system life cycle process.\n\n                         Figure 3: DHS\xe2\x80\x99 C&A Process\n\n\n\n\nSource: ISSM Guide\n\n\n\n\n Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004               Page 15\n\x0c                             Issues to be Addressed\n\n                             \xe2\x80\xa2    DHS may overstate the number of systems certi\xef\xac\x81ed and accredited to OMB\n                                  because Trusted Agent FISMA does not distinguish between systems with\n                                  Interim Authority to Operate (IATO) and systems fully accredited with\n                                  Authority to Operate (ATO). For example, three ICE systems listed as having\n                                  ATOs in Trusted Agent FISMA, had only been granted IATOs. Systems with\n                                  IATOs should not be included in an agency\xe2\x80\x99s count of its systems certi\xef\xac\x81ed and\n                                  accredited.\n                             \xe2\x80\xa2    DHS cannot identify systems that are due for recerti\xef\xac\x81cation and accreditation\n                                  based on the information reported in Trusted Agent FISMA.\n                             \xe2\x80\xa2    Five components (EP&R, IAIP, ICE, S&T, and USCG) reported that they did\n                                  not have the ability to track the C&A status of the systems they identi\xef\xac\x81ed in\n                                  their inventory.\n                             \xe2\x80\xa2    Components have not de\xef\xac\x81ned impact levels for all systems in Trusted Agent\n                                  FISMA according to draft Federal Information Processing Standard (FIPS)\n                                  Publication (Pub) 199.20\n                             \xe2\x80\xa2    System accreditation packages for 12 systems included in our review did\n                                  not meet all applicable OMB and NIST guidelines. Speci\xef\xac\x81cally, our quality\n                                  reviews of the accreditation packages found instances in which systems were\n                                  accredited even though: (1) key security documents (such as system security\n                                  plans, risk assessments, and contingency plans) prepared did not meet all the\n                                  requirements outlined in applicable NIST guidance; (2) documentation did\n                                  not clearly indicate what residual risks the accrediting of\xef\xac\x81cial was accepting\n                                  in making the accreditation decision; and (3) contingency plans had not been\n                                  developed or tested.\n                             \xe2\x80\xa2    Only three components (EP&R, ICE, and USCG) have updated their C&A\n                                  policies to ensure that they are in compliance with Sensitive Systems Policy\n                                  Publication 4300A and NIST SP 800-37. One component (CBP) indicated\n                                  that it planned to use its existing policies to reaccredit its legacy systems\n                                  instead of following NIST SP 800-37.\n                             \xe2\x80\xa2    Five components (IAIP, OIG, S&T, TSA, and USCG) lacked a solid,\n                                  documented, and implemented process to ensure IT security costs are\n                                  integrated into the system life cycle process.\n\n20\n   FIPS Pub 199, Standards for Security Categorization of Federal Information and Information Systems, dated December 2003, de\xef\xac\x81nes the\nstandards all federal agencies are to use in categorizing information and information systems according to a range of risk levels impacting\nthe con\xef\xac\x81dentiality, integrity, and availability of the information or information systems.\n\n\n\nPage 16                                   Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004\n\x0c       See Appendix G for the OIG Assessment of the C&A Process.\n\nAgencywide Security Con\xef\xac\x81guration Requirements\n\n       Progress\n\n       \xe2\x80\xa2    DHS has developed agencywide security con\xef\xac\x81guration polices and procedures\n            for Windows 2000 and Solaris.\n       \xe2\x80\xa2    Several of the components included in our review have developed their\n            own baseline security con\xef\xac\x81guration requirements, or incorporated some of\n            the con\xef\xac\x81guration guidelines published by other agencies (such as NIST, the\n            National Security Agency [NSA], and the Defense Information Systems\n            Agency [DISA]), for at least some of their applications and operating system\n            environments. For example: CBP is using NSA and DISA guidelines as a\n            baseline to develop its policies; IAIP uses NSA guidelines as a baseline for its\n            policies; and USCG has produced its con\xef\xac\x81guration policies.\n\n       Issues To Be Addressed\n\n       \xe2\x80\xa2    Because DHS agencywide security con\xef\xac\x81guration polices and procedures for\n            Windows 2000 and Solaris were not issued until September 16, 2004, we were\n            not able to evaluate the degree to which the guidelines address the patching\n            of vulnerabilities or the extent to which they had been implemented. Policies\n            and procedures for other applications and operating system environments have\n            not yet been developed.\n       \xe2\x80\xa2    None of the DHS components we reviewed have implemented security\n            con\xef\xac\x81guration requirements for all of their systems.\n\n       See Appendix H for information regarding DHS\xe2\x80\x99 Agencywide Security\n       Con\xef\xac\x81guration Requirements.\n\n\n\n\n Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004                Page 17\n\x0c                   Incident Detection and Handling Procedures\n\n                             Progress\n\n                             \xe2\x80\xa2    DHS has established and implemented agencywide policy and procedures for\n                                  reporting incidents to United States Computer Emergency Readiness Team\n                                  (US-CERT).21\n                             \xe2\x80\xa2    DHS has established a vulnerability assessment program.\n                             \xe2\x80\xa2    DHS employs various devices and technologies (such as network and host\n                                  based intrusion detection devices, packet \xef\xac\x81ltering, and proxy \xef\xac\x81rewalls) to help\n                                  protect against malicious activity and to mitigate its IT security risks.\n\n                             Issues To Be Addressed\n\n                             \xe2\x80\xa2    DHS does not have reliable measures or a baseline to assess the results of its\n                                  vulnerability scans or its penetration tests.\n                             \xe2\x80\xa2    DHS\xe2\x80\x99 vulnerability assessment program is not being enforced and does not\n                                  have organizational component support. Therefore, DHS does not have a\n                                  mechanism to collect and analyze the results of all its scans and tests.\n                             \xe2\x80\xa2    DHS does not have documented procedures for reporting incidents externally\n                                  to law enforcement authorities.\n\n                             See Appendix I for the Incident Detection and Handling Procedures.\n\n                   Incident Reporting and Analysis\n\n                             Progress\n\n                             \xe2\x80\xa2    DHS has established and implemented agencywide policy and procedures for\n                                  reporting incidents internally.\n\n\n\n\n21\n  US-CERT, established in September 2003, is a public-private partnership charged with improving computer security preparedness\nand response to cyber attacks in the United States. Speci\xef\xac\x81cally, US-CERT is responsible for analyzing and reducing cyber threats and\nvulnerabilities, disseminating cyber threat warning information, and coordinating incident response activities.\n\n\n\nPage 18                                  Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004\n\x0c                               Issues To Be Addressed\n\n                               \xe2\x80\xa2    DHS has not de\xef\xac\x81ned a process or procedures for incident analysis.\n                               \xe2\x80\xa2    DHS is not uniformly collecting OMB required information when incidents\n                                    are reported, nor can it identify whether systems affected by an incident have\n                                    been certi\xef\xac\x81ed and accredited or whether required system patches have been\n                                    installed.\n\n                      Training\n\n                               Progress\n\n                               \xe2\x80\xa2    DHS has established policies for security awareness training and the use of\n                                    peer-to-peer sharing software on DHS computers.\n                               \xe2\x80\xa2    Additionally, ISSMs have been given the authority to develop their own\n                                    information security training program, under the guidance of the Department\xe2\x80\x99s\n                                    Program Manager for Information Security Training, Education, and\n                                    Awareness.\n                               \xe2\x80\xa2    During FY 2004, three methods were available for ensuring employees and\n                                    their contractors received annual security awareness training: CD, on-line\n                                    tutorial, and classroom-based.\n\n                               Issues To Be Addressed\n\n                               \xe2\x80\xa2    DHS\xe2\x80\x99 security awareness training does not explain policy on peer-to-peer \xef\xac\x81le\n                                    sharing.22\n                               \xe2\x80\xa2    Identi\xef\xac\x81cation and management of all employees, contractors and other\n                                    government personnel with access to component\xe2\x80\x99s information continues to\n                                    be a challenge. Many organizational components identify who needs training\n                                    based on whether they have an account on DHS\xe2\x80\x99 network.\n                               \xe2\x80\xa2    DHS has not identi\xef\xac\x81ed employees with signi\xef\xac\x81cant IT security responsibilities\n                                    or been able to ensure that employees in those positions have received the\n                                    necessary specialized security training. Only one of the components (CBP)\n                                    has identi\xef\xac\x81ed employees in those positions that need specialized training and\n                                    ensured that required training was received.\n                               \xe2\x80\xa2    Costs associated with IT security training are not being captured.\n\n22\n     This answers question G.2.a from the OMB reporting requirements for Section G, Training.\n\n\n                        Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004                Page 19\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n\nPurpose, Scope, and Methodology\n                    The objective of this review was to determine whether DHS has developed\n                    adequate and effective information security policies, procedures, and practices,\n                    in compliance with FISMA. We also evaluated DHS\xe2\x80\x99 progress in developing,\n                    managing, and implementing its information security program.\n\n                    Our independent evaluation focused on DHS\xe2\x80\x99 information security program\n                    and practices, based on the requirements outlined in FISMA, as outlined in\n                    OMB Memorandum M-04-25, FY 2004 Reporting Instructions for the Federal\n                    Information Security Management Act. We conducted our work at the program\n                    level and at DHS\xe2\x80\x99 major organizational components (CBP, EP&R, IAIP, ICE,\n                    S&T, TSA, USCG, and USSS), including the OIG.\n\n                    As part of our evaluation of DHS\xe2\x80\x99 compliance with FISMA, we tested the\n                    effectiveness of IT security controls for a subset of DHS\xe2\x80\x99 information systems.\n                    We also assessed DHS\xe2\x80\x99 compliance with the security requirements mandated\n                    by FISMA and other federal information systems security policies, procedures,\n                    standards, and guidelines; including NIST SP 800-26, NIST SP 800-37, and FIPS\n                    Pub 199. Speci\xef\xac\x81cally, we (1) used last year\xe2\x80\x99s FISMA independent evaluation\n                    as a baseline for this year\xe2\x80\x99s review and assessed the progress that DHS has\n                    made in resolving weaknesses previously identi\xef\xac\x81ed; (2) focused on reviewing\n                    DHS\xe2\x80\x99 POA&M process to ensure that all security weaknesses are identi\xef\xac\x81ed,\n                    tracked, and addressed; (3) identi\xef\xac\x81ed the policies, procedures, and practices that\n                    DHS has at the program level and at the organizational component level; (4)\n                    evaluated processes (i.e., C&A, security training, and incident response) DHS\n                    has implemented as part of its agencywide information security program; and (5)\n                    developed our independent evaluation of DHS\xe2\x80\x99 information security program.\n\n                    Though we evaluated DHS\xe2\x80\x99 processes for incident reporting and analysis and\n                    security training, we did not gather statistical information to complete the\n                    applicable OMB tables for these areas. We determined that we would rely on the\n                    data DHS collected to complete these tables.\n\n                    OIG audit contractors were responsible for: (1) testing DHS\xe2\x80\x99 compliance with\n                    an abbreviated version of NIST SP 800-26 for a sample of eight systems at seven\n                    organizational components (CBP, CIS, EP&R, ICE, S&T, USCG, and USSS)\n                    to ensure that weaknesses, if any, are identi\xef\xac\x81ed, captured, and tracked in the\n                    POA&Ms; and (2) evaluating DHS\xe2\x80\x99 major organizational components progress\n                    in developing, aligning, and managing their information security program and\n\n\nPage 20                      Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004\n\x0c                                                            Appendix A\n                                                            Purpose, Scope, and Methodology\n\n\n\n      practices in compliance with DHS\xe2\x80\x99 agencywide information security program.\n      CIS was only included in our scope for our validation of NIST SP 800-26\n      assessments.\n\n      All audit work was conducted between April and September 2004.\n\n\n\n      ******\n\n      Throughout the review, we worked closely with the OCIO and personnel at the\n      major organizational components. The cooperation and courtesies extended to\n      the audit team and our contractors are appreciated. The principal OIG points\n      of contact for the audit are Frank Deffer, Assistant Inspector General, Of\xef\xac\x81ce of\n      Information Technology, (202) 254-4041, and Edward G. Coleman, Director,\n      Information Security Audit Division, (202) 254-5444. Major OIG contributors to\n      the audit are identi\xef\xac\x81ed in Appendix J.\n\n\n\n\nEvaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004                   Page 21\n\x0cAppendix B\nManagement Comments\n\n\n\n\nPage 22               Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004\n\x0c                                                                       Appendix C\n                                                                       Digital Dashboard\n\n\n\n\nEvaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004               Page 23\n\x0c  Appendix D\n  System Inventory and IT Security Performance\n\n\n\nSystem Inventory and IT Security Performance\nBy bureau (or major agency operating component), identify the total number of programs and systems in the agency\nand the total number of contractor operations or facilities. The agency CIOs and OIGs shall each identify the total\nnumber that they reviewed as part of this evaluation in FY 2004. NIST 800-26 is to be used as guidance for these\nreviews.\nFor each part of this question, identify actual performance in FY04 for the total number of systems by bureau (or\nmajor agency operating component) in the format provided below.\n                                                                                                                      Number\n                                                                                                   Number\n                                                                                                                     of systems\n                                                                                                  of systems                                                  Number\n                                                                                                                     for which            Number\n                                                           FY04               Number            with security                                                of systems\n                                                                                                                      security           of systems\n                    FY04                FY04             Contractor          of systems         control costs                                                for which\n                                                                                                                      controls             with a\nBureau            Programs             Systems          Operations or       certi\xef\xac\x81ed and          integrated                                                contingency\n                                                                                                                     have been          contingency\nName                                                      Facilities         accredited          into the life                                               plans have\n                                                                                                                     tested and             plan\n                                                                                                 cycle of the                                               been tested\n                                                                                                                    evaluated in\n                                                                                                    system\n                                                                                                                    the last year\n                 Total    Number     Total    Number     Total    Number     Total   Percent     Total   Percent     Total   Percent     Total   Percent     Total   Percent\n                Number   Reviewed   Number   Reviewed   Number   Reviewed   Number   of Total   Number   of Total   Number   of Total   Number   of Total   Number   of Total\n\n\n\n\n   Total        45(a)      1(b)     387(a)    63(c)     13(a)       0       27(c)    43%(g)       (d)      (d)\n                                                                                                                    24(e)    38%(g)      30(f)   48%(g)      13(f)   21%(g)\n\n\n\n  Comments:\n\n  Note: Only agencywide totals are provided.\n\n  (a)\n         Based on our June 2004 data call to ISSMs of nine major components; CIS was only included in our scope for our\n         validation of NIST SP 800-26 assessments. The DHS CIO and OIG agree on the total number of systems for FY 2004.\n  (b)\n         Based on our ongoing \xef\xac\x81nancial statement audit.\n  (c)\n         Based on our C&A quality review, ongoing \xef\xac\x81nancial statement audit, validation of a sample of DHS\xe2\x80\x99 NIST SP 800-26\n         evaluations, ongoing review of classi\xef\xac\x81ed systems, and audit of wireless networks (Inadequate Security Controls Increase\n         Risks to DHS Wireless Networks, OIG-04-27, June 2004).\n  (d)\n         We did not collect this information during our FY 2004 audit work.\n  (e)\n         Based on our ongoing CFO audit, validation of a sample of DHS\xe2\x80\x99 NIST SP 800-26 evaluations, and ongoing review of\n         classi\xef\xac\x81ed systems.\n  (f)\n         Based on our C&A quality review, ongoing \xef\xac\x81nancial statement audit, validation of a sample of DHS\xe2\x80\x99 NIST SP 800-26\n         evaluations, and ongoing review of classi\xef\xac\x81ed systems.\n  (g)\n         Percentages are based on the 63 systems the OIG reviewed, not the 387 systems reported for DHS.\n\n\n\n\n  Page 24                                       Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004\n\x0c                                                                        Appendix D\n                                                                        System Inventory and IT Security Performance\n\n\n\nSystem Inventory and IT Security Performance\nEvaluate the degree to which the following statements re\xef\xac\x82ect the status in your agency, by choosing from the responses\nprovided in the drop down menu. If appropriate or necessary, include comments in the Comment area provided below.\n                               Statement                                                          Evaluation\na. Agency program of\xef\xac\x81cials and the agency CIO have used\n   appropriate methods to ensure that contractor provided services or\n   services provided by another agency for their program and systems\n                                                                                                      Yes\n   are adequately secure and meet the requirements of FISMA, OMB\n   policy and NIST guidelines, national security policy, and agency\n   policy.\nb. The reviews of programs, systems, and contractor operations or\n   facilities, identi\xef\xac\x81ed above, were conducted using the NIST self-                                   Yes\n   assessment guide, 800-26.\nc. In instances where the NIST self-assessment guide was not used to\n   conduct reviews, the alternative methodology used addressed all                        N/A (Must use SP 800-26)\n   elements of the NIST guide.\nd. The agency maintains an inventory of major IT systems and this\n                                                                                                      No\n   inventory is updated at least annually.\ne. The OIG was included in the development and veri\xef\xac\x81cation of the\n                                                                                                      Yes\n   agency\xe2\x80\x99s IT system inventory.\nf. The OIG and the CIO agree on the total number of programs,\n                                                                                                      Yes\n   systems, and contractor operations or facilities.\ng. The agency CIO reviews and concurs with the major IT investment\n   decisions of bureaus (or major operating components) within the                                   Yes(a)\n   agency.\n                                                    Statement                                                              Yes or No\nh. The agency has begun to assess systems for E-authentication risk.                                                           Yes\ni. The agency has appointed a senior agency information security of\xef\xac\x81cer that reports directly to the CIO.                      Yes\n\n\n\n\n   Comments:\n\n   (a)\n         The Investment Review Board (IRB) is in charge of reviewing IT investments. Though the CIO is a voting member\n         of the IRB and is called upon as needed to provide guidance on IT investments, the CIO does not have full authority\n         to approve major IT programs, systems, or investments (Improvements Needed to DHS\xe2\x80\x99 Information Technology\n         Management Structure, OIG-04-30, July 2004).\n\n\n\n\n                        Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004                            Page 25\n\x0cAppendix E\nIdenti\xef\xac\x81cation of Signi\xef\xac\x81cant De\xef\xac\x81ciencies\n\n\n\n Identi\xef\xac\x81cation of Signi\xef\xac\x81cant De\xef\xac\x81ciencies\n By bureau, identify all FY 2004 signi\xef\xac\x81cant de\xef\xac\x81ciencies in policies, procedures, or practices required to be\n reported under existing law. Describe each on a separate row, and identify which are repeated from FY\n 2003. In addition, for each signi\xef\xac\x81cant de\xef\xac\x81ciency, indicate whether a POA&M has been developed. Insert\n rows as needed.\n                                                           FY04 Signi\xef\xac\x81cant De\xef\xac\x81ciencies\n\n                                          Number\n                           Total                                                                      POA&M developed?\n                                         Repeated      Identify and Describe Each Signi\xef\xac\x81cant\n Bureau Name              Number\n                                        from FY03                    De\xef\xac\x81ciency\n                                                                                                         Yes or No\n\n\n                                                           \xe2\x80\xa2    Security Program, Program\n                                                                Management Of\xef\xac\x81ce.\n\n                                                           \xe2\x80\xa2    Security Program \xe2\x80\x93\n                                                                Compliance and Oversight:\n OCIO                         2              (a)\n                                                                                                              Yes\n                                                                POA&M tracking is not\n                                                                FISMA compliant. The\n                                                                POA&M management\n                                                                system needs to be\n                                                                completed.\n Agency Total\n\n Comments:\n\n (a)\n       We were unable to determine the number of signi\xef\xac\x81cant de\xef\xac\x81ciencies repeated from FY 2003 because component material\n       weaknesses from FY 2003 were consolidated with FY 2004 OCIO signi\xef\xac\x81cant de\xef\xac\x81ciencies.\n\n\n\n\n Page 26                               Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004\n\x0c                                                                                     Appendix F\n                                                                                     OIG Assessment of the POA&M Process\n\n\nOIG Assessment of the POA&M Process\nAssess whether the agency has developed, implemented, and is managing an agencywide plan of action and milestone (POA&M) process.\nThis question is for OIGs only. Evaluate the degree to which the following statements re\xef\xac\x82ect the status in your agency by choosing from the\nresponses provided in the drop down menu. If appropriate or necessary, include comments in the Comment area provided below.\n                         Statement                                                              Evaluation\n                                                                                       Rarely, or 0-50% of the time\n                                                                DHS\xe2\x80\x99 ISSOs are to use Trusted Agent FISMA to develop, track, and\n                                                                manage POA&Ms for all systems under their control. DHS\xe2\x80\x99 ISSMs are\n     a.        Known IT security weaknesses, from all\n                                                                to conduct quarterly reviews of the consistency and accuracy of their\n               components, are incorporated into the\n                                                                POA&M data. Seven of the nine components reviewed lack a documented\n               POA&M.\n                                                                and implemented POA&M process to ensure POA&Ms contain all\n                                                                weaknesses. We did not verify whether all known IT security weaknesses\n                                                                were incorporated into the POA&M.\n                                                                                       Rarely, or 0-50% of the time\n     b.       Program of\xef\xac\x81cials develop, implement,              According to DHS\xe2\x80\x99 POA&M policy, program of\xef\xac\x81cials are to develop,\n               and manage POA&Ms for systems they               implement, and manage corrective action plans for all programs and\n               own and operate (systems that support            systems that support their operations and assets. However, seven of the\n               their programs) that have an IT security         nine components reviewed have either not developed, or are in the process\n               weakness.                                        of developing a well-documented POA&M process for systems they own\n                                                                and operate.\n                                                                                       Rarely, or 0-50% of the time\n                                                                According to DHS\xe2\x80\x99 POA&M policy, program of\xef\xac\x81cials are to develop,\n                                                                implement, and manage corrective action plans for all programs and\n     c.        Program of\xef\xac\x81cials report to the CIO on a\n                                                                systems that support their operations and assets. ISSMs are to ensure that\n               regular basis (at least quarterly) on their\n                                                                Trusted Agent FISMA is used to manage the remediation of IT program\n               remediation progress.\n                                                                and system weaknesses within their organizational components. The CIO\n                                                                does not receive reports of remediation progress. The CIO does not ensure\n                                                                that components update the status of their remediation progress.\n     d.        CIO develops, implements, and manages\n                                                                                       Rarely, or 0-50% of the time\n               POA&Ms for every system they own and\n                                                                DHS\xe2\x80\x99 CIO has not developed or implemented POA&Ms for every\n               operate (a system that supports their\n                                                                system owned and operated. The CIO has not compiled a comprehensive\n               program or programs) that has an IT\n                                                                inventory of all systems.\n               security weakness.\n     e.        CIO centrally tracks, maintains, and                                  Rarely, or 0-50% of the time\n               reviews all POA&M activities on at least a       While the CIO maintains the quarterly POA&Ms, DHS does not verify the\n               quarterly basis.                                 accuracy or completeness of the report.\n                                                                                       Rarely, or 0-50% of the time\n     f.        The POA&M is the authoritative agency            The POA&M is DHS\xe2\x80\x99 authoritative tool to identify and monitor the status\n               and IG management tool to identify and           of IT security weaknesses. We do not use POA&Ms as our authoritative\n               monitor agency actions for correcting            management tool. We also conduct vulnerability analyses to identify\n               information and IT security weaknesses.          weaknesses and perform follow-up audits to monitor the status of\n                                                                corrective actions.\n                                                                                       Rarely, or 0-50% of the time\n     g.        System-level POA&Ms are tied directly to         At the component level, linkage of security costs to the budget was\n               the system budget request through the IT         minimal. There are different opinions and approaches by the components\n               business case as required in OMB budget          on how to report resources and costs in POA&Ms. Approaches ranged\n               guidance (Circular A-11).                        from no reporting, to only reporting what could not be covered in existing\n                                                                program funds.\n     h.        OIG has access to POA&Ms as requested.                            Almost always, or 96-100% of the time\n     i.        OIG \xef\xac\x81ndings are incorporated into the                                   Rarely, or 0-50% of the time\n               POA&M process.                                   OIG \xef\xac\x81ndings are not incorporated into the POA&M process.\n     j.        POA&M process prioritizes IT security\n               weaknesses to help ensure that signi\xef\xac\x81cant                             Rarely, or 0-50% of the time\n               IT security weaknesses are addressed in          Most of the components do not have a formal process to prioritize their IT\n               a timely manner and receive appropriate          security weaknesses.\n               resources.\n                     Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004                                              Page 27\n\x0cAppendix G\nOIG Assessment of the C&A Process\n\n\n\n OIG Assessment of the Certi\xef\xac\x81cation and Accreditation Process\n Assess the agency\xe2\x80\x99s certi\xef\xac\x81cation and accreditation process in order to provide a qualitative assessment\n of this critical activity. This assessment should consider the quality of the Agency\xe2\x80\x99s certi\xef\xac\x81cation\n and accreditation process. Any new certi\xef\xac\x81cation and accreditation work initiated after completion\n of NIST SP 800-37 should be consistent with NIST SP 800-37. This includes use of the FIPS 199,\n \xe2\x80\x9cStandards for Security Categorization of Federal Information and Information Systems,\xe2\x80\x9d to\n determine an impact level, as well as associated NIST documents used as guidance for completing\n risk assessments and security plans. Earlier NIST guidance is applicable to any certi\xef\xac\x81cation and\n accreditation work completed or initiated before \xef\xac\x81nalization of NIST SP 800-37. Agencies were not\n expected to use NIST SP 800-37 as guidance before it became \xef\xac\x81nal.\n               Statement                                                 Evaluation\n Assess the overall quality of the\n                                                                             Poor\n Agency\xe2\x80\x99s certi\xef\xac\x81cation and accreditation\n process.\n                                               We determined that 11 of the 12 systems evaluated were\n                                               certi\xef\xac\x81ed and accredited using a number of different\n Comments:\n                                               processes: National Information Assurance Certi\xef\xac\x81cation\n Although OMB encouraged the early\n                                               and Accreditation Process, Department of Defense\n implementation of draft NIST SP\n                                               Information Technology Security Certi\xef\xac\x81cation and\n 800-37 by issuing interim certi\xef\xac\x81cation\n                                               Accreditation Process, Presidential Decision Directive\n and accreditation guidance to federal\n                                               63, Treasury Directive P 71-10. Speci\xef\xac\x81cally, we noted\n agencies in July 2003, DHS did not\n                                               instances in which key security documents prepared did\n require its organizational components to\n                                               not meet all OMB and NIST requirements, such as:\n follow the NIST SP 800-37 process until\n the publication was \xef\xac\x81nalized in May\n                                                   \xe2\x80\xa2   Up-to-date and approved system security plan.\n 2004. Because of DHS\xe2\x80\x99 late adoption of\n                                                   \xe2\x80\xa2   Current risk assessment.\n NIST SP 800-37, we could not evaluate\n                                                   \xe2\x80\xa2   Contingency plan.\n new certi\xef\xac\x81cation and accreditation work\n initiated after May 2004. However,\n                                               Until DHS has a complete inventory of its systems,\n we selected 12 certi\xef\xac\x81ed and accredited\n                                               they will be unable to determine whether all of its\n systems at four components, and\n                                               systems have been certi\xef\xac\x81ed and accredited. A complete\n evaluated three key security documents\n                                               inventory of major information systems is a key element\n that are part of the accreditation\n                                               of FISMA and is needed to effectively manage DHS\xe2\x80\x99 IT\n packages for compliance with applicable\n                                               resources and its information security program.\n OMB and NIST guidance.\n\n\n\n\nPage 28                         Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004\n\x0c                                                               Appendix H\n                                                               Agencywide Security Con\xef\xac\x81guration Requirements\n\n\n\nPolicies and Security Con\xef\xac\x81gurations\nFirst, answer D.1. If the answer is yes, then proceed. If no, then skip to Section E. For D.1.a-f, identify whether agencywide\nsecurity con\xef\xac\x81guration requirements address each listed application or operating system (Yes, No, or Not Applicable), and then\nevaluate the degree to which these con\xef\xac\x81gurations are implemented on applicable systems. For example: If your agency has a\ntotal of 200 systems, and 100 of those systems are running Windows 2000, the universe for evaluation of degree would be 100\nsystems. If 61 of those 100 systems follow con\xef\xac\x81guration requirement policies, and the con\xef\xac\x81guration controls are implemented, the\nanswer would re\xef\xac\x82ect \xe2\x80\x9cyes\xe2\x80\x9d and \xe2\x80\x9c51-70%\xe2\x80\x9d. If appropriate or necessary, include comments in the Comment area provided below.\nAnswer Yes or No, and then evaluate the degree to which the con\xef\xac\x81guration requirements address the patching of security\nvulnerabilities. If appropriate or necessary, include comments in the Comment area provided below.\nHas the CIO implemented agencywide policies that require detailed\n                                                                   Yes, No, or\nspeci\xef\xac\x81c security con\xef\xac\x81gurations and what is the degree by which the                                 Evaluation\n                                                                      N/A\ncon\xef\xac\x81gurations are implemented?\na.   Windows XP Professional                                           No        Due to the use of legacy systems at DHS\xe2\x80\x99\nb.   Windows NT                                                        No        components and the disparity between the\n                                                                                 components\xe2\x80\x99 operating environments, it would\nc.   Windows 2000 Professional                                         No\n                                                                                 not be feasible to implement the guidelines\nd.   Windows 2000                                                      Yes       throughout the department. Nonetheless, DHS\ne.   Windows 2000 Server                                               No        is working with its components to develop\nf.   Windows 2003 Server                                               No        minimum agencywide security con\xef\xac\x81guration\ng.   Solaris                                                           Yes       polices and procedures. Once completed, DHS\nh.   HP-UX                                                             No        will rely on its components to develop more\ni.   Linux                                                             No        speci\xef\xac\x81c guidelines applicable to their operating\nj.   Cisco Router IOS                                                  No        respective environments.\nk.   Oracle                                                            No\n                                                                             DHS issued security con\xef\xac\x81guration guides for\n                                                                             Windows 2000 and Solaris (dated September\nl. Other (specify):                                                   No     16, 2004); however, due to our FISMA deadline,\n                                                                             we did not have time to review the guidelines.\n                                                                   Yes or No                   Evaluation\n                                                                                 Patch management is the responsibility of the\n                                                                                 components. However, the DHS Computer\nDo the con\xef\xac\x81guration requirements implemented above,                              Security Incident Response Center (CSIRC)\naddress patching of security vulnerabilities?                                    has implemented the Information Security\n                                                                      N/A\n                                                                                 Vulnerability Message, which is a technical\n                                                                                 advisory bulletin, sent to each component\xe2\x80\x99s\n                                                                                 CSIRC, that provides them with the latest\n                                                                                 information related to updates and patches.\n\n\n\n\n                    Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004                                 Page 29\n\x0cAppendix I\nIncident Detection and Handling Procredures\n\n\n\nIncident Detection and Handling Procedures\nEvaluate the degree to which the following statements re\xef\xac\x82ect the status at your agency. If appropriate or\nnecessary, include comments in the Comment area provided below.\nStatement                                                                        Evaluation\n\na. The agency follows documented policies and procedures for\n                                                                                                      Yes\n   reporting incidents internally.\n\nb. The agency follows documented policies and procedures for\n                                                                                                       No\n   external reporting to law enforcement authorities.\nc. The agency follows de\xef\xac\x81ned procedures for reporting to\n   the United States Computer Emergency Readiness Team                                                Yes\n   (US-CERT). http://www.us-cert.gov\nIncident Detection Capabilities.\n                                                                                                        Percentage of Total\n                                                                             Number of Systems\n                                                                                                             Systems\na. How many systems underwent vulnerability scans and\n                                                                                    5202(a)                     (b)\n   penetration tests in FY 2004?\nb. Speci\xef\xac\x81cally, what tools, techniques, technologies, etc., does the agency use to mitigate IT security risk?\nAnswer: DHS employs various devices and technologies (such as network and host based intrusion detection devices, packet\n\xef\xac\x81ltering, and proxy \xef\xac\x81rewalls) to help protect against malicious activity and to mitigate its IT security risks.\nComments:\n\n(a)\n      We obtained this number from DHS. For this question only, DHS de\xef\xac\x81nes systems as unique internet protocol addresses.\n      Therefore, the number reported in the table is not the total number of systems that underwent vulnerability scans and\n      penetration tests in FY 2004. The number represents only a fraction of systems\xe2\x80\x99 vulnerability scans and penetration\n      tests performed. DHS could not determine the total number of systems, or determine the percentage that underwent\n      vulnerability scans or penetration tests conducted in FY 2004, because some of the organizational components are\n      not reporting the results of their scans and tests to DHS\xe2\x80\x99 Computer Security Incident Response Center or to Security\n      Operations.\n\n(b)\n      We did not obtain this information. Refer to DHS\xe2\x80\x99 FY 2004 FISMA report for this number.\n\n\n\n\nPage 30                               Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004\n\x0c                                                                 Appendix J\n                                                                 Major Contributors to this Report\n\n\n\n\n      Of\xef\xac\x81ce of Information Technology\n      Information Security Audit Division\n\n      Edward G. Coleman, Director\n      Barbara Bartuska, Audit Manager\n      Jeff Arman, Audit Manager\n      Patrick Nadon, Audit Manager\n      Chelsea Pickens, Senior IT Auditor\n      Tom Tsang, Senior IT Auditor\n      Benita Holliman, IT Auditor\n      Pedro Calderon, IT Auditor\n      William Matthews, IT Auditor\n      Chris Udoji, IT Auditor\n      Jason Bakelar, IT Auditor\n      Michelle Bellamy, IT Auditor\n      Scott Binder, IT Auditor\n      Werner Roberts, IT Auditor\n      Evan Portelos, Associate\n      Meghan Sanborn, Referencer\n\n\n\n\nEvaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004                      Page 31\n\x0cAppendix K\nReport Distribution\n\n\n\n                      Department of Homeland Security\n\n                      Secretary\n                      Deputy Secretary\n                      Chief of Staff\n                      General Counsel\n                      DHS OIG Liaison\n                      DHS Chief Financial Of\xef\xac\x81cer\n                      DHS CISO\n                      DHS Public Affairs\n                      CIO Audit Liaison\n\n                      Of\xef\xac\x81ce of Management and Budget\n\n                      Chief, Homeland Security Branch\n                      DHS OIG Budget Examiner\n\n                      Congress\n\n                      Appropriate Congressional Oversight and Appropriations Committees\n\n\n\n\nPage 32                       Evaluation of DHS\xe2\x80\x99 Information Security Program for Fiscal Year 2004\n\x0c\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Of\xef\xac\x81ce of Inspector General (OIG) at\n(202) 254-4100, fax your request to (202) 254-4285, or visit the OIG web site at www.\ndhs.gov/oig.\n\nOIG Hotline\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal\nor noncriminal misconduct relative to department programs or operations, call the OIG\nHotline at 1-800-323-8603; write to Department of Homeland Security, Washington, DC\n20528, Attn: Of\xef\xac\x81ce of Inspector General, Investigations Division \xe2\x80\x93 Hotline. The OIG\nseeks to protect the identity of each writer and caller.\n\x0c'